Still Can’t Win the Core Wars: A Report from Black Hat

• Imperiled the notion that Xen hypervisor (or any program) can bootstrap itself securely on a already-running computer by establishing a dynamic root of trust measurement (DRTM) using the Trusted Platform Module (TPM)• Hacked the BIOS System Management Mode (SMM), demonstrating that attackers are just as capable of moving “down the stack” as “up the stack”• Left Intel and/or other vendors with a major homework assignment to overcome design problems in the TXT

If valid, the Wojtczuk and Rutkowska exploits once again demonstrate the fallibility of software-on-software defenses, concerning which I previously posted Can’t Win the Core Wars. That post was about Black Hat 2008 exploits that demonstrate limitations in Data Execution Prevention (DEP) and related protections. This week’s new Black Hat exploits deal additional blows to the defensive team.ITL’s presentation gave some background on what parts of the TXT are broken, how it was done, and what remains intact. First of all, understand that the TPM has a set of PCR registers that can hold hash values of critical system software modules. As the computer boots, first the BIOS ROM, then the BIOS PCI FLASH, OS boot loaders, and OS kernel load up in succession; the hash of each component’s in-memory bits is checked against the PCR values before continuing to the next. At the end of the process, if each component checks out, you have what’s called a static root of trust measurement (SRTM).

The good news is that ITL’s exploits do not affect SRTM. The bad news is that SRTM isn’t very scalable. It takes a lot of software to get a general purpose computer going, and even more if one wants to initialize a hypervisor on top of the OS and then yet another OS inside of a virtual machine. SRTM requires initializaing PCR registers with the information to measure every possible piece of code that might be executed since the system boot.

To address SRTM’s scalability issues, Intel’s TXT includes a dynamic root of trust (DRTM) capability. DRTM uses an instruction called “SENTER” (AMD has a similar one called “SKINIT”) to extend a PCR register with the hash of a program to be loaded after the computer has booted. For example, an initialization program could issue SENTER with the hash of a virtual machine monitor (VMM), load the VMM, and only activate it after the PCR attestation checks out. DRTM is also called “late launch,” and it is intended to transfer a system from an unknown/untrusted state to a known/measured or trusted state. This is a wonderful widget to have for dealing with unmanaged computers belonging to home users, consultants, customers, etc.

But DRTM can be attacked through the System Management Mode (SMM) code, which as part of BIOS is more privileged than OS kernels (ring 0) and hypervisors (ring -1). Think of the SMM as “ring -2.” SMM is loaded before late launch. It can, so to speak, eat your launch, heh. TXT does not repeat the SMM attestation after boot time, and ITL’s research suggests that attestation of running code is not reliable in any case.

Wojtczuk and Rutkowska went on with an entertaining description of their dialogue with Intel. Intel claims that exploiting SMM is hard, but ITL makes it look easy. Apparently, ITL has broken SMM with multiple attacks, including one with a soldering iron to replace a chip on the motherboard. But the software attacks are easier, and there are multiple SMM bugs. Intel has been informed of these bugs and patched them, but then ITL found new bugs.

Apparently, SMM is large and complex because it must interact with many complex computer components. It must be tuned to each new motherboard and changes often. As such, SMM is a difficult program to harden, validate, and trust. When I asked an Intel representative about the SMM hack, he called it an “industry-wide problem” and said Intel had reached out to CERT to help coordinate repairs.ITL says Intel’s solution to the DRTM TXT attack will be an SMM Transfer Monitor (STM). As best as I can understand it, STM will virtualize the BIOS so that it can be rebooted during a late launch. ITL said Intel argued persuasively that it could do a better job of protecting STM because it would be smaller and simpler than SMM. But STM does not exist yet, so we must stay tuned.

Editor comment: Don’t you love it when the vendor’s fix to an exploit adds another layer of complexity? They always seem to make software more complex, and then tell us it’s more secure. But at least most of the time, it’s not.

On to the bottom line: Very few, if any, organizations are using DRTM in any way, shape, or form. However, system management mode (SMM) and BIOS are ubiquitous and exploits against them open a worrisome new front for rootkits and weaken the value proposition for hypervisors. ITL is giving Intel more time for patches before releasing the actual exploits, so it’s too early to tell how effective the countermeasures will be and how many rootkits will crop up in the wild. In the short term, make sure you’re prepared to patch SMM on existing systems and that anti-rootkit defenses cover SMM. In the long term, take vendor claims of DRTM with a large grain of salt.